[00:00.000 --> 00:09.560]  Hi, today I'd like to share my experience on how to relay NFC traffic for Tesla Model 3.
[00:11.800 --> 00:19.660]  So my name is Kevin2600. I'm currently working for a company called InGeek in Shanghai, China,
[00:19.660 --> 00:24.080]  and we're focused on research and pen testing for smart car security.
[00:24.080 --> 00:29.980]  We also built a project called CarSRC, which is China's first car security response center.
[00:31.520 --> 00:38.520]  So you're welcome to follow me on Twitter on Kevin2600 or just if you're interested
[00:38.520 --> 00:47.720]  and check out a barcode here for a company website, right? Okay, so here's our content
[00:47.720 --> 00:53.740]  for today. First, I'd like to talk about some basic knowledge and the applications regarding
[00:53.740 --> 00:58.240]  to NFC. And then I think maybe I should...
[01:01.540 --> 01:09.660]  And then I will talk about the key fobs architecture for Tesla Model 3. And eventually,
[01:09.660 --> 01:17.340]  I will walk through the challenge we have faced and how do we bypass it during the NFC relay
[01:17.340 --> 01:25.780]  research, right? So NFC 101. I don't think we need to talk about too much on this at this point
[01:25.780 --> 01:32.940]  because a lot of people already know about NFC. But basically, NFC stands for Near Field
[01:32.940 --> 01:40.980]  Communication. It's most likely operating on passive mode and it's really working in
[01:40.980 --> 01:46.400]  close range. We are talking about centimeters here. And the operation frequency is usually
[01:46.400 --> 01:56.480]  going to be 13.56 MHz. And you can use things called NDEF to change the data back and forth,
[01:56.480 --> 02:04.260]  right? So the NFC technology is already widely developed, right? So we can see a lot of applications
[02:04.260 --> 02:12.460]  based on it in today's world. So for example, our payment system, our passport, and our card for
[02:12.460 --> 02:22.360]  access our business buildings are all most likely NFC or RFID based. And then there's a new trend
[02:22.360 --> 02:29.940]  for using NFC for car keys. And here's some of car manufacturers already using it. As we can see,
[02:29.940 --> 02:39.080]  like BMW or BYD and like our main target today, Tesla, they're using it. And they come with
[02:39.080 --> 02:47.340]  different size of forms, right? So interestingly, even Apple has enabled a new feature called car
[02:47.340 --> 02:57.200]  key for the latest. So yeah, I think the digital car keys is really the future. And
[02:58.640 --> 03:05.660]  now speaking of Tesla, Elon Musk, he's so proud of it. He mentioned that Tesla is a sophisticated
[03:05.660 --> 03:13.280]  computer on wheels, right? So if it's a computer, the hackers or security research will be interested
[03:13.280 --> 03:20.440]  in it. And so here's a small list that I grabbed from the Tesla website. As you can see, there are
[03:20.440 --> 03:27.340]  many researches, researchers has found vulnerability and report to Tesla for the past few years.
[03:27.340 --> 03:29.500]  And so for example...
[03:31.980 --> 03:38.520]  Oh, sorry. Okay. So for example, the famous hacks from Tencent King Labs,
[03:38.520 --> 03:43.980]  they were able to exploit the Wi-Fi stack on Tesla Model S. And then they also
[03:43.980 --> 03:51.880]  done a great experiment on Tesla Autopilot. So if you guys are interested, I recommend that you
[03:51.880 --> 03:58.780]  check it out. Also, there's some more independent researcher. So for example, one guy called
[03:58.780 --> 04:06.220]  Richard Zhu, he won the last year Pwn2Own competition. He basically able to pawn the
[04:06.220 --> 04:13.700]  Tesla IVI system. Also, there is another researcher from Belgian. He's able to successfully
[04:14.660 --> 04:21.980]  crack the key, the encryptions used by Tesla Model S. And then he's able to
[04:22.820 --> 04:30.400]  successfully clone the entire key. So I think this is quite cool, right?
[04:32.700 --> 04:39.480]  However, it turns out that not just the hackers or security researchers are interested in Tesla.
[04:39.480 --> 04:45.840]  So are those professional thieves, right? But they don't care about how to write perfect
[04:45.840 --> 04:53.600]  exploits for RCE. They only want to steal the vehicles or something left inside, right? So
[04:53.600 --> 04:59.640]  they only want some very simple way. And it turns out that one of the simplest ways for them
[04:59.640 --> 05:05.060]  is called a key file relay attack. I think this is all over the news for the past few
[05:05.800 --> 05:13.740]  months or even last year. You're going to see some guy come to your neighborhood with some
[05:13.740 --> 05:22.760]  mystery device that it can amplify your key file and then somehow turn on your vehicles and drive
[05:22.760 --> 05:30.180]  away. And this is also the reason why we start to research on Tesla. Because we must try to see
[05:30.180 --> 05:41.860]  if it's possible to do the NFC relay for the Tesla Model 3, right? Okay, so Tesla key file
[05:41.860 --> 05:48.200]  architecture. So let's talk about this. Okay, so before I start, I'd like to talk about some
[05:48.200 --> 05:56.260]  research procedures. The first, usually when we start to research something, we usually start
[05:56.260 --> 06:03.160]  with some reconnaissance, right? So basically, at this stage, we try to read as many as possible
[06:03.160 --> 06:10.060]  the menus regarding your target. And also you can sit down with your friends, your colleagues,
[06:10.060 --> 06:17.720]  and to do some brainstorm to see what kind of attack factors that you can have, right? And
[06:17.720 --> 06:24.640]  once you have that ready, then you can really just sit down and actually implement some attack
[06:24.640 --> 06:34.760]  plans. And then you can go to actually doing it, right? So usually when we're testing
[06:34.760 --> 06:43.340]  for like Tesla here, we are not expecting that it will success in the first time.
[06:43.340 --> 06:49.340]  So usually it will fail, but that's okay. We just try harder and repeat. Eventually, we'll find
[06:49.340 --> 07:00.520]  something, right? Cool. So for Tesla, now in order to access the Model 3, Tesla has provided us
[07:00.520 --> 07:09.780]  three different ways, right? For example, we can use NFC tag, and Tesla also provided mobile
[07:10.300 --> 07:18.860]  apps for us to try to control your car through Bluetooth. And later, they also provided
[07:18.860 --> 07:27.000]  the physical key fob, also have been using Bluetooth and NFC here, okay? And just like
[07:27.000 --> 07:34.380]  any other radio device, Tesla key fobs, we can find a thing called FCCID. So this is important
[07:34.380 --> 07:42.280]  for us at a recon stage, because first we need to know as much as possible regarding your
[07:42.280 --> 07:52.120]  target, right? So from here, we search the FCCID to the website, and then we can find,
[07:52.120 --> 08:02.140]  say, for example, we can find that Tesla Model 3 key fob using a CC2640 chipset. And also,
[08:02.140 --> 08:10.840]  this is also for key fob reader, the reader module, and also having to using CC2640. So by this
[08:10.840 --> 08:18.960]  information, really, we can have even without even actually open the... even without own one
[08:18.960 --> 08:24.860]  of these vehicles, you already know something about it, right? That's pretty cool. Now,
[08:24.860 --> 08:31.720]  regarding the NFC key tag itself,
[08:31.720 --> 08:46.040]  actually, it's just like any other NFC tag, it supports ISO 14443 type A, and also ISO 7864
[08:47.760 --> 08:56.630]  standards. And basically, it's a Java smart cards. So we can use in some already already exist
[08:57.060 --> 09:04.340]  application to group graph this information, right? There's a lot of application can do as
[09:04.340 --> 09:13.380]  you can see here. Yeah, the difference between those two ISO standards, one is contact, and one
[09:13.380 --> 09:20.020]  is contacts. They are very similar. And on top of application layer, they all the same, just using
[09:20.020 --> 09:31.300]  APTU to talk to your car. Okay, so and, and then I recommend that people serious about researching
[09:31.300 --> 09:41.140]  on RFID security, you definitely need to go get one of the PM ProSmart 3. Yeah, I think this is
[09:41.140 --> 09:50.240]  very important. So basically, we can use in PM3 to, to identify your, your targets, which is key
[09:50.240 --> 10:05.620]  file here. And I can see identify as an XP MyFair DeathFire 4k EV1 type card. Okay, so and here's
[10:05.740 --> 10:10.960]  a little summary here. So the test NFC key tag is seven bytes.
[10:11.700 --> 10:16.840]  He uses seven byte UID. And it is a Java based card.
[10:17.800 --> 10:24.580]  The most important part is here is the actually using the ECDH for a challenge response for
[10:24.580 --> 10:33.240]  authentication. So and as I mentioned, ProSmart 3 is really helpful during the research, as you can
[10:33.240 --> 10:40.980]  see the picture right here. I, we are able to use in ProSmart 3 to talk to, to send different
[10:40.980 --> 10:49.440]  commands, APTU commands to your target, to the tag. And we can able to get some information out,
[10:49.440 --> 10:55.880]  for example, a public key, or different Java updates, like sending different AID to require
[10:55.880 --> 11:06.000]  different Java update to do some testing. So yeah. And right. So now I think it's time for
[11:06.000 --> 11:14.580]  some real hacks, right? Cool. Um, so since our goal here is actually to get NIC relay working,
[11:14.580 --> 11:20.980]  and there are many research has done great jobs in this area already. So in beginning, we don't
[11:20.980 --> 11:28.420]  want to reinvent the wheels. So we've, we just do some research and find there's a very cool
[11:28.420 --> 11:36.520]  application called NLC gate. And NLC gate is basically is Android application is the mean for
[11:36.520 --> 11:42.660]  capture, analyzing, or even modified NLC traffic on file. So basically, it's pretty cool. It's
[11:42.660 --> 11:49.960]  perfect for us, right? And he operated it, basically, we need to mobile phone at running
[11:49.960 --> 11:58.700]  the NLC gate. And we need to set our Wi Fi server in the middle, right? So can true to send to relay
[11:58.700 --> 12:09.620]  through the traffic. Um, so yeah, so for the first for the test run, um, we're, we're trying to
[12:09.620 --> 12:17.340]  target our credit card system to see if we can buy a coffee for free, right? So with someone's,
[12:17.340 --> 12:22.960]  with my colleague's card, basically. So, and so here's the result I would like to show you.
[12:24.380 --> 12:31.920]  Right, so basically, we try to was one of the colleague to pretend to be a bad guys and me just
[12:31.920 --> 12:38.440]  try to read out the someone else's card, right?
[12:45.630 --> 12:49.010]  Yeah, as you can see, the traffic is already go through.
[12:52.110 --> 13:03.030]  We're successfully to buy, to get coffee for free. And by this point, we're very, yeah. Yeah,
[13:03.030 --> 13:11.350]  by this point, we're very happy. So we run to a parking lot for hours to test the Model 3.
[13:14.070 --> 13:21.070]  Unfortunately, it failed for the first attempt, right? As I mentioned, usually it will fail for
[13:21.070 --> 13:30.330]  the first time. But let's find out why it happened. What happened exactly, right? Okay, so
[13:32.350 --> 13:40.010]  and again, we brought out our Porsche Model 3 and start to capture and compare the NX traffic
[13:40.010 --> 13:48.910]  between the actual Tesla key tag and the other which relate by the NFC gate to do some, to see
[13:48.910 --> 14:00.310]  if there's anything I'm, we were missed. And yeah, so here are the traffic data we
[14:00.310 --> 14:08.010]  captured by PM3, Porsche Model 3. And also here are the traffic we captured by NFC gate itself.
[14:08.010 --> 14:16.330]  It has a logging file function. So as you can see, one of the response by the tag is it can convert
[14:16.330 --> 14:24.410]  back to convert the hex string to something we can read as a Tesla logic, which indicate that
[14:24.410 --> 14:35.030]  it is Tesla's NFC key tag. Okay, so let's walk through some
[14:36.470 --> 14:42.470]  those hex strings, try to understand what's going on here. So first,
[14:42.470 --> 14:46.830]  yeah, so this is important here, right? So first, the
[14:50.290 --> 15:02.070]  the reader, the sorry, the reader will send out a request asking for Tesla logic AID for
[15:03.470 --> 15:13.250]  like TBK, which stands for Tesla phone key. But because we are actually using the NFC key tag,
[15:13.250 --> 15:20.510]  our reader, our tag will respond with 6D00, which means instruction invalid, which is,
[15:20.510 --> 15:28.350]  which means this particular AID doesn't exist. So and then the Tesla will send another request,
[15:28.350 --> 15:37.250]  will send another request asking for TKC, which is Tesla key card. And yes, executed successfully
[15:37.250 --> 15:48.330]  by like 9T00. And because we are using Tesla key card, so yeah, it does exist. So then the reader
[15:48.330 --> 15:55.910]  will send and select this particular AID. Okay, now, like this is a Tesla logic update list,
[15:55.910 --> 16:01.030]  right? And then the reader will send out authentication command for this particular
[16:01.590 --> 16:09.210]  AID. And like they send out a vehicle public key and followed by a 16-byte challenge.
[16:09.210 --> 16:16.190]  Now for the tag itself, we have to respond with a 16-byte response.
[16:16.830 --> 16:24.990]  And once we have that sorted out, then we are authenticated to the reader and then we can do
[16:25.550 --> 16:30.990]  action like open the car, open the door or close the door and stuff, something like that, right?
[16:31.190 --> 16:39.270]  So as you can see, the whole authentication process is kind of simple. But why we
[16:39.870 --> 16:46.750]  endlessly read a tag on credit card system, it works. The Model 3 is not. And turns out,
[16:46.750 --> 16:54.650]  the reason is the payment terminal, the POR system is not required to stop the transaction
[16:54.650 --> 17:01.130]  if it takes longer time. But the Tesla, on the other hand, has more restriction on timing.
[17:01.130 --> 17:07.910]  It has to respond in a very specific time. Otherwise, it will be time out.
[17:08.050 --> 17:14.450]  If we say, if we didn't respond to the correct answer on AID on time and then it failed, right?
[17:14.450 --> 17:20.390]  So because we are related, remember we are related traffic through Wi-Fi network and there's a lot
[17:20.390 --> 17:33.370]  lot of things can happen during this transaction. So now our job is to increase our speed. And
[17:33.370 --> 17:39.710]  luckily, there's a great researcher called Stefano. He is kind enough to give us some advice.
[17:40.550 --> 17:47.930]  But unfortunately, this second attempt also failed. But thanks for him.
[17:49.450 --> 17:59.390]  Let's try harder, right? Let's see. And then my colleague, Alex, he came up with some idea
[17:59.390 --> 18:05.850]  to verify because at that point, we're not really sure if it is a timing issue only or maybe
[18:05.850 --> 18:13.550]  something else blocked the way. So his idea is instead related traffic by Wi-Fi, maybe we're
[18:13.550 --> 18:23.910]  using the USB cables because all the traffic then you transfer locally. So it's supposed to be very
[18:23.910 --> 18:34.490]  very fast, right? Let's see if that works. So here's our first video. You can always check out
[18:34.490 --> 18:45.090]  YouTube on this for later, right? Yeah, cool. As you can see, we actually relay by the USB. It
[18:45.090 --> 18:55.470]  works. So it is timing. It is where you have to find a way to increase the speed. But how?
[18:58.660 --> 19:09.560]  And then, yes, we found another trick from the same guy, Salvador, which is inspiring us
[19:09.800 --> 19:19.320]  a lot. Because basically, he has given a talk at DEF CON 26. Basically, he was able to
[19:19.800 --> 19:27.480]  bypass the payment limit by simply replacing a certain value during the transaction.
[19:27.700 --> 19:34.960]  And also, he can able to replay. Also, again, same trick, replace different values in order to
[19:36.420 --> 19:44.520]  instead of using EMV, he actually turned to using MACDRIVE for payment systems.
[19:44.520 --> 19:48.600]  So let's get us thinking. Can we do the same?
[19:51.160 --> 19:55.780]  So let's go back to the traffic we captured by
[19:56.660 --> 20:09.380]  ProSmart 3. So basically, remember we mentioned that the first reader will send out...
[20:10.000 --> 20:17.780]  they're asking for a particular Java update AID, which never exists. It actually starts at 4.
[20:17.800 --> 20:25.560]  And then, because it doesn't exist, it will be failed. So they send another request asking for
[20:25.560 --> 20:34.060]  another Java update called Star Wars 74. So can we do something about here?
[20:36.420 --> 20:45.240]  And definitely, yes. So let's... sorry, I draw a very ugly picture here, but let me try to
[20:45.240 --> 20:51.740]  explain what happened. So basically, first, Test.mod3 will send out... the reader will send out
[20:52.520 --> 21:00.480]  a request looking for a Java update F4. But because it doesn't exist,
[21:00.480 --> 21:09.060]  the tag will reply response with 60.0.0, so it doesn't exist.
[21:09.780 --> 21:19.620]  And so that... instead we redirect the 60.0.0, we send...
[21:22.720 --> 21:29.130]  we actually forwarding... instead of looking for F4, we're forwarding that...
[21:30.060 --> 21:35.880]  you're asking for 74, because we know that 74, a Java update, does exist. And
[21:38.140 --> 21:43.900]  because... and then, obviously, tag will receive this request, will say, okay, you are... you're
[21:43.900 --> 21:51.100]  asking for 74, then we... it doesn't exist, and then we just respond with 90.0.0. And you will...
[21:51.100 --> 22:01.820]  and then we're using another MVC gate to send those response back. Because... and that takes
[22:01.820 --> 22:11.300]  some time here. So by the time we're processing this command, the Test.mod3 will send another
[22:11.300 --> 22:17.940]  request looking for... the actual request sending... looking for 74. And that's the one actual... the
[22:17.940 --> 22:26.920]  real one sent by the models, read module. But we... because we are in the middle, so we drop it,
[22:26.920 --> 22:38.580]  right? We don't need a second 74. So now by the time we finish... we've done this, the 90.0.0 has
[22:38.580 --> 22:46.320]  already arrived. So by this end, so we can just forward it to the Test.mod3. And once Test.mod3...
[22:46.880 --> 22:52.000]  seems interesting here now. Once they... we bypass those
[22:55.400 --> 23:05.780]  AID selection, we go to a challenge response stage. At this stage, it seems... it seems like
[23:05.780 --> 23:10.640]  during the test, it seems like we don't have any time limit anymore. We can send and wait
[23:10.640 --> 23:20.240]  as long as we want, right? So yeah, basically we just dropped one... instead of looking for two
[23:20.240 --> 23:27.220]  different AIDs, like F4 and 74, we just dropped one of them, and sent in... looking for 74
[23:27.220 --> 23:39.840]  directly. We will simply... by doing this, we successfully bypass the time limit, right? So
[23:41.820 --> 23:48.580]  and here's... we just play this... we do the demo to show the whole process, okay?
[23:56.290 --> 24:05.010]  As you can see, we... because it's a traffic relayed by Wi-Fi, and you can
[24:05.010 --> 24:08.730]  experience a little bit slow, but it still works, right? As you can see,
[24:08.730 --> 24:19.960]  it will open, and you can check out the current phone... the firmware,
[24:22.080 --> 24:28.520]  right? And then we drop...
[24:30.980 --> 24:44.920]  and driving away. Okay, cool. Now, because we want to see how practical this NFC relay attack
[24:44.920 --> 24:52.040]  is, so we're testing with a lot of... we want to see if it works in long distance, right?
[24:52.040 --> 24:58.220]  So here's another video I want to show... demo I want to show you, as we are actually testing
[24:58.220 --> 25:08.580]  in kind of far away. Let's see the results, right? So as you can see,
[25:08.580 --> 25:14.740]  my car is kind of far away in the parking lot. Yeah, it still works, right?
[25:14.920 --> 25:27.180]  Cool, beautiful. So by this stage, we're very happy and report our founding to Tesla, and
[25:29.200 --> 25:37.540]  however, Tesla replied our email and said that the relay attack are no limitation for their
[25:37.540 --> 25:47.200]  systems. And we recommend customers who are concerned about relay attack enable pin-to-drive.
[25:47.200 --> 25:56.000]  So basically, there's no bounty, and they know the vulnerability exists, but they don't think
[25:56.000 --> 26:02.020]  it's very important, because they think they already have something called a pin-to-drive ready.
[26:02.020 --> 26:05.160]  So here's our work result.
[26:09.500 --> 26:17.640]  So first, basically, even... so basically, what we need to... I need to address here is pin-to-drive
[26:17.640 --> 26:24.160]  is actually not protecting from the relay attack. It's only protecting you... once you open the...
[26:24.160 --> 26:30.600]  we open the door, you cannot stop engine. You have to enter in some pin, right? But
[26:31.120 --> 26:37.660]  we are still able to open the door. And so basically, the risk is still there, right?
[26:37.660 --> 26:44.760]  So once we get in, or bad guy get in, they can't... yes, they may not able to steal your vehicle,
[26:44.760 --> 26:52.040]  but they still can steal some stuff inside your car, or even worse, they can put something in,
[26:52.040 --> 27:00.920]  spare camera, or some cheap... and yeah, so I think the pin-to-drive is really a debatable
[27:00.920 --> 27:09.680]  solution from Tesla. But anyway, we apply a CVE, and we get a CVE here, and we're happy enough,
[27:09.680 --> 27:20.900]  right? But what is pin-to-drive anyway? So basically, I found this pin-to-drive description
[27:20.900 --> 27:29.800]  from the Tesla website. The most interesting part here is that pin-to-drive allows you to set a
[27:29.800 --> 27:38.880]  secure four-digit modification, right? Four digits. So what could possibly go wrong there,
[27:38.880 --> 27:44.860]  right? Only four-digit numbers. Now, we also, during the research, we found there's no pin
[27:44.860 --> 27:54.660]  position randomization, so it's always fixed in the middle. Now, at least,
[27:55.520 --> 28:01.140]  because this research has been done for some time now, and at the time we're testing
[28:01.520 --> 28:11.720]  on different firmware version, we can, at least at that moment, there's no brute force
[28:11.720 --> 28:20.700]  rate limitation and no brute force back-off time. But maybe they are fixed now, but a lot of time,
[28:20.700 --> 28:29.420]  it doesn't have anything. So, four-digit numbers, no brute force protections, yeah? You get the idea?
[28:31.120 --> 28:45.720]  So, oops. So, we actually built a hardware based on something called M5Stack.
[28:46.600 --> 28:53.000]  I named it pin-to-crack, right? So, basically, we can use that to...
[28:54.660 --> 29:00.160]  of course, we can do with, maybe we can do it with Raspberry Pi or with Arduino. It doesn't
[29:00.160 --> 29:07.840]  have to be M5Stack. Basically, the idea is just... instead we push the pin number itself,
[29:07.840 --> 29:14.480]  we can do it automatically, right? So, now, but there's a catch though. Oh, by the way, there's
[29:14.480 --> 29:26.160]  another guy doing a similar attack on his Tesla as well. But this is our solution, so similar,
[29:26.160 --> 29:35.340]  same idea. However, the catch is we have to finish the whole setup process under two minutes.
[29:35.440 --> 29:42.340]  Otherwise, we have to relay the Tesla key attack again. Now, by just... what we found is by just
[29:42.340 --> 29:50.100]  setting up those... because we have to focus on the exact position on the screen. By just setting
[29:50.100 --> 29:57.720]  up everything set up already, it's already a lot of times. So, we maybe... instead of
[29:58.340 --> 30:03.540]  using the device, we're just using our first fingers, right?
[30:05.000 --> 30:14.680]  So, here we're going to just show you the first finger will work. So, first, we are able to
[30:15.900 --> 30:21.900]  open the door, we get in, but because there's a pin to drive function already, we have to
[30:21.900 --> 30:28.920]  enter the pin, right? So, as you can see the firmware version, verify the firmware version,
[30:28.920 --> 30:34.840]  right? Yeah, the pin drive. So, as you can see, in the beginning we pretend we don't know
[30:34.840 --> 30:42.700]  anything about a pin, so we just randomly or brute force try to try our luck. Now, the point here
[30:42.700 --> 30:53.720]  is we can see there's no brute force protection. We can just run... maybe not random, we open...
[30:53.720 --> 31:01.320]  we just entering... keep entering a different pin, even try to see if we get a lock. So,
[31:01.320 --> 31:05.860]  let me speed up a little bit.
[31:08.360 --> 31:18.430]  Okay, okay. See, there's nothing stop us to keep entering the pin, right? Let me see...
[31:24.250 --> 31:37.860]  Let me see where's the... actually, I don't know where's the actual key,
[31:37.860 --> 31:43.060]  so I don't know where to start. Oh, see, here, we got it, right? So, as you can see,
[31:43.060 --> 31:49.320]  during this lock... this is only demonstration, the actual attack maybe take longer, but yeah,
[31:49.320 --> 31:53.360]  the point is they don't have anything protecting it, right? So, we can just,
[31:53.360 --> 31:58.860]  using our first finger, maybe you can get them. Yeah, so, good to go.
[32:02.080 --> 32:14.800]  Okay, all right. So, the summary here. So, really, the security by obscurity is not going to work,
[32:14.800 --> 32:25.120]  right? So, the 100% security does not exist. We have to test properly. We need to... even like,
[32:25.120 --> 32:32.900]  vehicles, you may think like those high-end cars are very secure, but once they implement some
[32:35.100 --> 32:42.000]  latest technology, then it actually opens more attack vectors for the attackers. So,
[32:42.000 --> 32:52.160]  we need to really think this carefully, okay? Yeah, so, here are some references. If you guys
[32:52.160 --> 32:56.940]  are interested to continue your research, I definitely recommend you can try those
[32:56.940 --> 33:08.180]  I just mentioned, and you go to... all those guys are very good in this area. Yeah, so,
[33:08.180 --> 33:13.400]  go check them out, all right? Okay, thank you. I'm done.
